6 minute read
Cybercriminals are on the Hunt Using Social Engineering Tactics
By Lisa Ramirez, Director of Communications and Membership
Social engineering attacks like phishing have skyrocketed to take the top spot as the cause of cybersecurity breaches. What makes social engineering so effective? When cybercriminals use social engineering tactics, they prey on our natural instinct to help one another.
We think it can’t happen to us, but phishing isn’t a trap that only ensnares the gullible, warn the experts at Integrated Computer Services (ICS), a Glen Rock, N.J.-based organization specializing in IT consulting and network support for businesses with 10 to 1,000 employees. Gone are the days of poorly-worded, patently obvious attempts at scamming users out of their hard-earned cash. Today’s sophisticated phishing attacks are almost indistinguishable from legitimate business communications and are well-written, thoroughly researched, and establish a thread of communication with the victim before attempting to steal their credentials or bank balance.
Ultimately, cybercriminals use deception to trick their victims into voluntarily giving up confidential information. Phishing attacks represent a serious threat to online security for every person with a computer, tablet or smartphone. Hackers see it as an easy way to trick people into divulging sensitive information.
Automated protection cuts down on 99 percent of the spam and phishing to your inbox, but that remaining 1 percent can send you to a dangerous website, have you open a malicious file, or even inadvertently divulge sensitive information.
How to Spot Social Engineering
Phishing is constantly evolving and cybercriminals continually adopt new forms and techniques. With that in mind, everyone must keep an eye on their inbox. Here are some tell-tale signs you’re being targeted:
• Requesting log-in information.
If you get a message asking you for log-in credentials – even if it’s from a trusted source – you’re probably the target of a social engineering attack.
• Urgently asking for money or gift
cards. There’s seldom a reason why anyone, someone you know, would urgently need money.
• Asking to verify your information.
This type of social engineering asks victims to verify their info to win a prize or a windfall. But even if the message comes from a legitimate organization it could very likely be a scam. Criminals can spoof an email and impersonate a business.
• URLs are misspelled. Usually, fake websites have an extra letter ‘S’ or ‘A’ in the spelling. For example, “www.walmarts.com.”
Source: The experts at Integrated Computer Services (ICS), Glen Rock, N.J.
Top Tricks of Social Engineering Attacks
Here are a few common types of social engineering attacks that might appear in your inbox:
Payment Diversion Fraud
Cybercriminals often masquerade as a supplier, requesting invoices are paid to alternative bank details. They can also pretend to be an employee, asking the HR department to pay their salary into a different account.
Payment diversion fraud targets both businesses and individuals and the results can be devastating. There’s little point requesting someone to make a bank transfer or change payment details who isn’t authorized to, so threat actors target finance and HR teams who routinely process payments and deal with changes to personal account details and are more likely to comply with the fraudulent request.
CEO Fraud
Impersonating a VIP – often the CEO – is big business for adversaries, knowing the recipient will often meet the request straightaway. Threat actors research their executive target thoroughly to make sure their spoofed email is as convincing as possible, so it stands more chance of succeeding. They prey on users’ implicit trust of their seniors to coerce them into providing commercially sensitive information, personal information, or bank account details.
These deceitful requests often convey a sense of urgency and imply the interaction can only be carried out via email. The victim, therefore, has no time to question the validity of the request and is unable to call the CEO to confirm if it’s genuine.
Whaling
The opposite of CEO fraud, whaling targets senior executives rather than impersonating them. These targets are often the decision-makers who have the authority to give the go-ahead on financial transactions and business decisions, without further levels of approval. These phishing attacks are thoroughly researched, contain personalized information about the company or individual, and are written in the company’s tone, adopting fluent business terminology that’s well-known to the VIP target.
Sextortion
A form of cyber blackmail, sextortion is when cybercriminals email their target claiming to have evidence of them committing X-rated acts or offenses and demanding payment to stop the criminals from sharing the evidence with their victim’s family or employer. Attackers count on their victims being too embarrassed to tell anyone about the email because it’s a subject most wouldn’t feel comfortable talking about with others.
The attackers often make the email sound like they’re doing their victim a favor in keeping the details to themselves. The victim may decide to pay up to stop embarrassing details about their private lives being made public, regardless of whether they’re true or not. Payments are usually demanded in Bitcoin or gift cards.
But if the victim knows they’re innocent, why do these attacks still work? It’s all about credibility – attackers harvest email addresses and passwords from previous cyberattacks, which are available on the internet, and include them in their email to add credibility. If an attacker emails you claiming to know one of your passwords and includes it for proof, you’re more likely to believe the rest of the email is genuine.
Updates on Site Inventory, Environmental Reform Topic of ABG Meeting
By Lisa Ramirez, Director of Communications and Membership
Orange County’s site inventory and pivotal environmental regulation changes were discussed at an informational networking session hosted by the Alliance for Balanced Growth (ABG).
The morning session, held August 16 at Delancey’s in Goshen, was moderated by ABG co-chairs John Lavelle of Rand Commercial and Andrew Fetherston of Colliers Engineering Design. About 85 business leaders, local lawmakers and others attended.
“We all benefit by knowing what’s going on out there with one another,” Lavelle said as he welcomed the attendees. Wallkill. Up next are meetings with representatives from Middletown, Port Jervis, the City of Newburgh and other municipalities. The Partnership, he said, believes development opportunities exist in food and beverage processing, advanced manufacturing, clean energy and life sciences. “I think that it is great that the organizations (the Orange County Partnership and the ABG) are coming together,” said Town of Wallkill Supervisor George Serrano. “We must have smart development. It is good to develop but being smart is getting all the parties together.”
Also at the meeting, Kimberly Semon, P.E. Senior Project Manager with Langan Engineering & Environmental Services, offered an update on PFA (polyfluoroalkyl substances) contamination and changing federal and state regulations that could impact development.
The U.S. Environmental Protection
Lavelle began the discussion by noting that while there is a robust demand for commercial properties in Orange County, available sites remain in short supply. Compounding the challenge is a lack of infrastructure for those sites that are available.
Conor Eckert, Senior Development Officer and Vice President of Business Attraction for the Orange County Partnership, said that since the June launch of the ABG’s Site Inventory Program, Partnership representatives have met with officials from Blooming Grove, Monroe, Goshen and the Town of “There’s real opportunity to compete for these sectors,” Eckert told the crowd.
One goal, Eckert said, is to develop a “portfolio of sites.” Eckert is heading the initiative along with Kaitlynn Lancellotti, Director of Business Retention and Expansion, and together they are compiling information on suitable properties along with zoning, infrastructure, tax and regulatory approval requirements. The focus is on properties that could accommodate new development of at least 20,000 square feet. Agency issued an advisory in June that its health advisory threshold for PFAs in water sources will change from 70 parts per trillion to four parts per quadrillion, a profound decrease in tolerance. Airports, upholstery and textile factories, and landfills are among the types of properties where PFA contamination has been identified, Semon cautioned. Generally, contamination occurred between the 1940s and early 2000s
Semon noted that the equipment to measure these newly reduced PFA levels has not yet been developed.
